This will be a quick post because I've been slammed with work lately, but I just wanted to mention something alarming that I discovered the other day. As I started using Bluefish Editor, I started noticing all sorts of extra files on my server with a ~ at the end of the filename (index.php~ as an example). So, I tried typing one of those into my browser and, to my alarm, found that my server was displaying the raw PHP code! Of course, this is a huge security risk. So, here's how I fixed it:

1. I disabled the auto-backup feature in the editor. In Bluefish, this was just an option in the preferences menu. Note: I have no idea why they would have this as a default setting. It makes no sense to me. Anyway...
2. I deleted all of those extra files I could find.
3. I modified the .htaccess file to prevent any of them that I missed in the cleanup from being displayed. By adding this code to your highest level .htaccess, you'll now get a forbidden 403 when attempting to access:
   <Files ~ "~$">
  Order allow,deny
  Deny from all
</Files>

Hope that helps someone out there.

Tags: .htaccess, Bluefish, PHP, security

This entry was posted on Sunday, July 12th, 2009 at 7:17 pm by Robert James Reese and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.